Гайд The magic behind Aimware

Пользователь
Статус
Оффлайн
Регистрация
27 Июл 2019
Сообщения
59
Реакции[?]
402
Поинты[?]
2K
Aimware is one of the most long-lived projects on csgo cheating scene. It's known for its features and ...security, aimware hasn't been cracked for years. There were attempts, many of them, but not any actually succeeded until October 2021.
This superiority of aimware security comes from the unique techniques and implementations which honestly, I haven't seen ever before. As aimware is not the uncrackable project anymore I decided to share you some tricks it uses for education purposes.

1. Imports
If you're reading this article, you're probably aware of what imports are and how their references are implemented in some hacks, malwares etc. Well, the basic flow in any compiled PE binary is function -> IAT ptr call (via call/jmp dword) -> thus jump to the import address. Many hacks (e.g. ot and ft) use other technique: they find all references to IAT while mapping, then patching them to direct calls/jmps, but the problem is opcode length difference: call iat ptr opcode is 2 bytes length (FF 15) but direct (relative) call's opcode is only 1 byte (E8). In these hacks the problem is solved by adding a junk byte to the instruction, onetap uses 0x67 junk byte as a prologue to import call, fatality uses 0x90 which is nop instruction.
Aimware is ahead of the game ahead of these hacks. All imports in aimwhere are being called by direct rets to them, the import value as well as return address (which is function_base + stub_start + stub_length) is pushed into the stack and then immediately returned. After import execution the jump appears which redirects us to random binary address where's function execution flow continues. In short, aimware imports abusing the stack and stubbing binary for small pieces which are randomly shuffled over it.
So, the jump is a single push (target) and the call is a double push (ret + target).


(a function with import reference inside)

2. Memory encryption
As you may know there's a table in every PE file called initterm which initializes some pointers, constants, predefined constructors etc before the dllmain is reached. There's such table in aimware as well but ... it's encrypted. Aimware uses unique identifier known as cpuid which is really reasonable since cpuid is a common processor instruction. So, the flow of each initterm function is: vtable reference -> stub which starts decryption loop -> decryption loop itself (xor'ing by cpuid values, rotating bits) -> jump to the decrypted function prologue -> after function is executed the encryption stub is called, here the functions is being crypted with rdtsc (instruction that returns time, it means that you won't be able to decrypt a function once it's executed unless you know each rdtsc value in crypt loop).
While bypassing this trick I came with the solution of patching all of cpuid references to ud2 (or int3, doesn't matter in this context) and then filling eax, ebx, ecx and edx registers with desired values.


(encrypted function, completely unreadable)


(decrypted function)

Nothing more?
Incorrect, aimware has a mutator implementation as well which means its binary is being randomly shuffled each time you load the hack. No possible way to find relocs ...at all.
There're also some security tricks (e.g. thread validation) but I think they are not that standing out as imports and memory encryption. If you want to analyze deeper and look how does the amazing custom security look like, go buy aimware the superior hack.

While analyzing aimware you probably will realize (as I did) how insignificant many of hacks are... They randomly use virtualization which leads to extremely long loading time (come and say "hi" to fatality) and which doesn't help them at all. For all young readers: virtualization is a strong and powerful obfuscation technique but it won't help you if you use it mindlessly.
 
Главный модератор
Главный Модератор
Статус
Оффлайн
Регистрация
13 Фев 2018
Сообщения
1,093
Реакции[?]
801
Поинты[?]
146K
Ого, папочка жив. Велкам ту зе клаб, бадди
А вообще - учите инглиш, пацаны. И тогда будете как вилка - низко флексить рубахой из барбери и писать посты про сесюрити аимвара в 7 утра :CoolCat:
 
купить дизайн: yougame.biz/threads/155999
Дизайнер
Статус
Оффлайн
Регистрация
19 Сен 2018
Сообщения
793
Реакции[?]
1,380
Поинты[?]
9K
юц с югеймом перепутал, бывает
 
꧁꧂
Участник
Статус
Оффлайн
Регистрация
23 Мар 2020
Сообщения
549
Реакции[?]
356
Поинты[?]
10K
Can you make a video about how to hack fatality? After that, 99% of people after viewing will be very interested in hacking and eventually become very literate
that's quite an interesting idea, but in reality a lot of csgo programmers won't be unable to understand this a due to loss of intellect. but I would like to see this type of video
 
Легенда форума
Статус
Оффлайн
Регистрация
10 Дек 2018
Сообщения
4,380
Реакции[?]
2,284
Поинты[?]
189K
Ужас. Я так понимаю, статья целенаправленно писалась для югейма, в таком случае встаёт вопрос, почему она на английском языке?
лайк за контент энивей
 
Я программист
Участник
Статус
Оффлайн
Регистрация
21 Сен 2017
Сообщения
433
Реакции[?]
244
Поинты[?]
1K
Забаненный
Статус
Оффлайн
Регистрация
27 Окт 2022
Сообщения
40
Реакции[?]
9
Поинты[?]
0
Обратите внимание, пользователь заблокирован на форуме. Не рекомендуется проводить сделки.
дохуя текста, сделал бы в конце для ленивых в двух словах, на инглише, не на инглише, похуй, текста дохуя
 
You're mom
Начинающий
Статус
Оффлайн
Регистрация
1 Июл 2020
Сообщения
75
Реакции[?]
16
Поинты[?]
1K
дохуя текста, сделал бы в конце для ленивых в двух словах, на инглише, не на инглише, похуй, текста дохуя
было бы это тебе нужным и интересным, ты бы о таком вовсе не подумал xd
 
bibitka
Пользователь
Статус
Оффлайн
Регистрация
26 Июн 2020
Сообщения
133
Реакции[?]
66
Поинты[?]
0
If you're reading this article, you're probably aware of what imports are and how their references are implemented in some hacks, malwares etc. Well, the basic flow in any compiled PE binary is function -> IAT ptr call (via call/jmp dword) -> thus jump to the import address. Many hacks (e.g. ot and ft) use other technique: they find all references to IAT while mapping, then patching them to direct calls/jmps, but the problem is opcode length difference: call iat ptr opcode is 2 bytes length (FF 15) but direct (relative) call's opcode is only 1 byte (E8). In these hacks the problem is solved by adding a junk byte to the instruction, onetap uses 0x67 junk byte as a prologue to import call, fatality uses 0x90 which is nop instruction.
Не совсем понял. ff15 является инструкцией которая разыменовывает rva указатель и делает по нему прыжок. e8 это вызов по rva. Rva в инструкциях x64 это 4 байта. Адреса загрузки библиотек в x64 могут быть дальше от инструкции, чем максимальное значения dword.

P.s блять, вспомнил, кска же 32 битная...
 
Последнее редактирование:
Участник
Статус
Оффлайн
Регистрация
16 Дек 2018
Сообщения
991
Реакции[?]
177
Поинты[?]
17K
дохуя текста, сделал бы в конце для ленивых в двух словах, на инглише, не на инглише, похуй, текста дохуя
в двух словах специально для тебя: защита в ав лучше чем в фт и от. Доступно?
 
Забаненный
Статус
Оффлайн
Регистрация
27 Окт 2022
Сообщения
40
Реакции[?]
9
Поинты[?]
0
Обратите внимание, пользователь заблокирован на форуме. Не рекомендуется проводить сделки.
Забаненный
Статус
Оффлайн
Регистрация
12 Фев 2022
Сообщения
47
Реакции[?]
6
Поинты[?]
0
Обратите внимание, пользователь заблокирован на форуме. Не рекомендуется проводить сделки.
polak/zim/badster don't care about this actually they making money from it they literally just update cheat, put some features just make people happy "omg, new feature new update omg omg" i bet they their loader just a lil bit in 3/4 months because polak is busy swiss only update client version, badster dunno about this dude just collecting lambo's at his house. fatality? fatality.win injecting 50 years.

p.s if people "russian people" and other people think aimware with v5.1 update is AHEAD of the game they're retarded aimware was a head of the game when v4 was on top and prime they fucked up V5 absolutely only i can say aimware has one of the most best legitbot i've ever seen or used.
 
Государственная служба РФ
Пользователь
Статус
Оффлайн
Регистрация
26 Дек 2018
Сообщения
361
Реакции[?]
70
Поинты[?]
0
Сверху Снизу